We often talk about a talent shortage in cybersecurity. Maybe we aren’t looking in the right places. There are lots of other fields rife with talent that could successfully transition into our industry. So what can we do to create and encourage that pipeline?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest Kelly Haydu, vp, infosec, technology, and enterprise applications, CarGurus.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Panoptica, Cisco’s Cloud Application Security Platform
Full Transcript
Best advice I ever got in security. Go!
[Kelly Haydu] Early on in my career, I received advice from somebody that was actually not in the security space, and they said try not to boil the ocean. Back in my early days, I was very excited to try to implement a lot of different things at once because I felt like, “Oh, there’s a risk here.
There’s a risk here. There’s a risk here. We have to be able to mitigate all of these risks.” But in reality, security is a very broad landscape, and you can’t boil the ocean. You can’t bite off everything at once, so prioritizing those critical gaps is very, very important.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of said CISO Series and the host as well, as you are hearing from my voice. Guess what? I have another cohost. His name is Mike Johnson, and he is also the CISO of Rivian.
Do people know you more as the cohost of the CISO Series Podcast, Mike, or the CISO of Rivian?
[Mike Johnson] Oh, it’s certainly as part of this fabulous podcast. This is how I’m known. I get stopped in the street all the time of, “Hey, you’re that guy that’s the cohost of that awesome podcast.” So, the rest of it, nobody really cares about it.
[David Spark] Are you just stroking my ego here at this point?
[Mike Johnson] Absolutely.
[David Spark] Okay, thank you. I appreciate that. This is what all my cohost know how to do. By the way, we’re available at ciso-dev.davidspark.dcgws.com. Our sponsor for today’s episode is Panoptica. That’s Cisco’s cloud application security solution. It provides end to end life cycle protection for cloud native application environments.
More about that later in the show. Now, Mike, I have a quick story I want to tell right up front, and this has to do over thanksgiving break. I got a chance to have dinner with friends from my old hometown that I had not seen since I was, get ready for this, 13 years old.
[Mike Johnson] That was a while ago.
[David Spark] That was a while ago, yes. And so we were talking about things from grade school to up to junior high, and… Because I went through the public school system through seventh grade and then private school after that, so I didn’t really see them at all afterwards.
Now, someone told me a story that I had completely forgotten.
[Mike Johnson] Oh, great.
[David Spark] 100% forgotten. And I was piecing it together, and I go, “I guess that’s what happened.”
[Laughter]
[David Spark] So, here’s the part I do remember. I had a social studies class, and I had a teacher named Mr. Tinnery [Phonetic 00:02:53]. He’s unfortunately no longer with us. And he said, “If you put a picture or a graph in your report, you can get an extra five points.”
[Mike Johnson] Okay.
[David Spark] So, what did I do? I put a lot of pictures and a lot of graphs in my report. And I knew I got, like, well over a hundred points. My friend, Chris, said, “Oh, no, I know exactly how much you got. You got 167.”
[Mike Johnson] Okay.
[David Spark] All right. So, that’s the part I remember. I remember writing the report. I have a vivid memory of getting this ludicrous score afterwards. Later we have a geography test, and my paper and this test are going to be equally weighed. I guess I was taunting my teacher or something.
I don’t know what. But this is the part I didn’t remember, and Chris vividly remembered it. I was sitting right next to him during the test. He goes, “Mr. Tinnery, I just need to…” We were all taking the test. “I need to check something in the book.” And he goes, “David, don’t… What are you doing?
No.” I go, “I’m just going to look up something quick. I just need to look up one quick little thing right here.” And, you know, Chris can’t believe it, and none of the other students can believe it. And so he goes, “David, no…” And I’m going to reach for the book.
“David, what are you…? David, if you open that book, you get a zero.” I opened the book. He goes, “David, you got a zero.” And I said, “All right, I have 167 on my paper, a 0 on this. That’s a B average. I’m cool with that.”
[Mike Johnson] [Laughs]
[David Spark] The whole class laughed. Even Mr. Tinnery laughed at that. And the way I realized it, I had at that point I think already gotten into private school, and they pretty much just said, “Oh, well, make sure you have a B average.”
[Mike Johnson] Yeah, you didn’t care.
[David Spark] I didn’t care at all. [Laughs]
[Mike Johnson] Senioritis.
[David Spark] But I was in seventh grade at the time.
[Mike Johnson] Well, you can get senioritis young it turns out.
[David Spark] I guess so. All right. I just had to share. That story cracked me up. I was just like, “I guess so.” All right, let’s jump into this. I want to bring our guest on. I’m very thrilled. Actually, our guest was referred to me, and so I’m so thrilled that she’s able to join us for this very discussion.
It is the vice president of information security, technology, and enterprise applications over at CarGurus, none other than Kelly Haydu. Kelly, thank you so much for joining us.
[Kelly Haydu] Thank you so much for having me. I’m excited to be here.
Okay, what’s the risk?
5:08.022
[David Spark] Cybersecurity professionals will be quick to tell you that, “Compliance does not equal security.” It’s an old discussion, and it doesn’t take much to have a security pro talk your ear off about compliance checkboxes. That doesn’t change the fact that compliance is still needed for your organization.
So, is there a way to build risk based compliance, something that bridges the gap between technical security controls and business risk, wondered Bill Frank in a recent piece on LinkedIn. Now, essentially should compliance and security remain separate concerns, or is there a way to create efficiencies, this is a key thing, between the two, reduce the cost, and better communicate business risk to an organization?
So, is there a way, Mike, to create efficiencies?
[Mike Johnson] I liked how the author put it around discussing how to implement. And really, when you think about compliance frameworks, they tell you what to do but not how to do it. An opportunity that I think security leaders have is to work with the business on, “Okay, well, we’ve got…compliance says we’ve got to do this thing.
Let’s get creative on how we do that. Let’s find a way that aligns with maybe even your current practices.” We’re not necessarily having to do anything new, but it actually meets the expectations of the regulation, of the compliance framework, or what have you.
And so I think the opportunity that the security leader has is to help manage the costs of implementation by providing guidance to say, “This thing…you think you may need to go and do all these intricate, difficult controls, but the reality is you don’t have to do all that.
This is what we need to do in order to meet our security expectations and also the compliance expectations.” And so I really think that how to implement point that the author made, I think that’s a really good thing to anchor on when you’re talking with the business.
[David Spark] Good point. Kelly, did you wrap around the how to implement element?
[Kelly Haydu] I did, but first before implementation we have to really get buy in. And a lot of people struggle with that. they’ll go through their benchmarking exercise. They’ll highlight their gaps in the controls that they have in place, and then they’ll go to the executive team, or they’ll go to the board, and they’ll say, “Hey, we have all of these gaps.” And back to my earlier point, it’s like how do you resolve all of those gaps?
How do you understand what are your critical ones? Because you’re not going to get the budget and funding for everything up front. So, one thing that I recommend is bringing in a third party to do an enterprise wide level risk assessment for your organization.
One, that’s going to help define each area of the business and educate them on what their level of risk is.
So, it’s not just related to security, but it’s related to the entire enterprise. When you start talking about how it impacts somebody’s day to day and less around the technical, that will help drive adoption. The second thing it’ll do is it’ll help solidify your areas of interest to the business stakeholders.
And when you’re identifying the gaps in your areas, you can correlate them back to what the third party did, and then in some cases you may have missed your own as part of your independent assessment. But I think bringing that harmony across the business and letting people understand that it’s not just about a technical risk but more an enterprise level, that helps.
I’ve seen organizations… And it depends on the size and reporting structure of the organization, but I’ve seen organizations where they split duties – where you have the technical assessments and the vendor evaluations conducted by the security or IT risk and compliance team.
And then they highlight those control deficiencies. They work with the vendors and other technical teams in the business to determine how they can mitigate the risks and costs associated with a breach. They’ll work with the finance team to do a financial technical assessment.
They’ll oversee the GRC platforms and working with engineering teams on security and privacy by design in the FCLC [Phonetic 00:09:45]. Lastly, you’ll have legal, and legal is going to be the one that’s really kind of in charge of that corporate governance program.
And that corporate governance program will help educate the board and the audit committee to help determine the corporate risk culture, and to what Michael said earlier, the risk appetite and threshold of the organization.
Question for the board.
10:08.038
[David Spark] So, building off our last discussion, one of the reasons it’s so important to connect cyber security risk to a business is that’s how you get budget. You’re with me on this, right, Kelly? Oh, yeah. She’s nodding her head. Okay. So, for a CISO, that increasingly means communicating these risks directly to the board, which Kelly was singing the praises of that moments ago.
But even as CISOs become more empowered to drive cyber security decisions, they still need a strategy to approach the board when it comes to budgets, as Deb Radcliff pointed out in a piece for CSO Online. This can mean quantifying organizational benefits to other departments, loss avoidance and cost reduction through cyber security spending, or comparing the total cost of ownership with the costs and risks of not implementing a solution.
So, if you’re going to the board with a budget request, how are you connecting that to other business objectives, or, like you made a reference to, Kelly, does that third party…is that kind of a critical asset you need to do just this?
[Kelly Haydu] So, first, I want to state that I think budget conversations should come up through the CEO or whoever the CISO is reporting to. In my case, I report into the CTO, but at prior organizations it’s been the CFO or chief legal officer. Part of the enterprise risk management’s presentation to the audit committee with the head of security included is to highlight the risks and incidents on a quarterly basis.
So, you’re not necessarily going to them and saying, “Hey, I need funding for X, Y, and Z.” What you’re doing is you’re talking about the progress of the program’s maturity, and you’re making sure that when it comes time for that annual budget review that there’s no surprises as to what incremental spend may be required to help mitigate those agreed upon risks.
And so one thing that we did here is… I also oversee IT. We stood up an IT software governance committee where we evaluate all the software in the organization for duplicity. That really helps reduce unnecessary risk and cost reductions throughout the business.
The board loves that. Because as we’re starting to turn down some of that software and mitigate that risk, it actually is easier to go to them and say, “Hey, we’ve saved four million dollars this year on X, Y, and Z software reduction. We need let’s say 200,000 to implement this.” So, it’s a given and a take.
[David Spark] All right. Mike, very, very interesting. Everything is a negotiation. What’s your take on this, and how is it sort of similar or different to what Kelly pointed out?
[Mike Johnson] It’s a lot of similarities to what Kelly was discussing. I think one of the key points that she made in there that I really agree with is avoiding surprises.
[David Spark] We hear that all the time for board discussions – nothing should come as a surprise when you talk to the board.
[Mike Johnson] No. And more importantly, nothing should be a surprise to your boss or the CEO when you’re talking to the board. The absolute worst thing that you can do is actually make it look like your leadership is not in the know as well, and that’s going to go badly for everyone.
So, principle of least surprise definitely applies when talking with the board. And I like the idea that Kelly was mentioning of use your assessments…risk assessments, your maturity models to paint the picture and set up those future discussions to be able to come back and say, “Well, we agreed that these were our risks.
This is what it’s going to cost to mitigate those to the level that you said you wanted us to. Let’s move forward.” And you then have everyone is on the same page. And you’re able to then have those conversations. So, I really like that point, and I also like the give and take that Kelly mentioned – the idea of really as an executive leader you’re getting a budget envelope.
You can move stuff around within that. And if you have something that you realize that you don’t need, don’t spend the money. And if there’s something else that’s really important that’s more important than what you were going to spend your money on, go put it over there.
Don’t waste money.
[David Spark] Let me ask you a question, if you’ve done this. I had a friend not in cyber security who did this little game. She would create a spreadsheet and say… She would have above the lines and below the lines type things, stuff that you can mess with and the stuff you can’t mess with.
And it was kind of a magician’s trick of, “I’m going to let you think… You can change the budgets of everything in here but nothing here.” And that allowed you to sort of control a certain amount of your budget. Do you ever kind of play that game a little bit or no?
[Mike Johnson] These are all different perspectives on the same concept of you’ve got those things that you absolutely must deliver, and you have no choice on those spend.
[David Spark] Like locks on the door. There’s certain things of like locks on the door.
[Mike Johnson] Yes.
[David Spark] Like we have to buy this.
[Mike Johnson] Yes. Yeah. And you can look forward and say, “Well, we could spend a little bit more money now and get ahead of something down the road.” Or, “We don’t spend the money on that right now, and we come back to it later, and that’s fine.”
Sponsor – Panoptica
15:40.748
[David Spark] Before I go on any further, I do want to mention our awesome sponsor, Panoptica. Panoptica empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk analysis, and actionable remediation insights for all your cloud assets.
Powered by graph based technology, Panoptica’s attack path engine prioritizes and offers dynamic remediation for vulnerable attack vectors, helping security teams quickly identify and remediate potential risk across cloud infrastructures.
A unified cloud native security platform minimizes gaps from multiple solutions, providing centralized management and reducing noncritical vulnerabilities from fragmented systems. Panoptica utilizes advanced attack path analysis, root cause analysis, and dynamic remediation techniques to reveal potential risks from an attacker’s viewpoint.
This approach identifies new and known risks, emphasizing critical attack paths, and their potential impact. This insight is unique and difficult to glean from other sources of security telemetry such as network firewalls. Get more information on Panoptica’s website.
That is panoptica.app. Check it out.
It’s time to play, “What’s worse?”
17:24.946
[David Spark] All right, Kelly, are you familiar with this game?
[Kelly Haydu] No.
[David Spark] You’re not familiar. All right. Well, it is fictional scenarios. Two scenarios.
[Kelly Haydu] [Laughs]
[Mike Johnson] You’re going to love it.
[David Spark] They both stink. Let me stress that. And especially these… Today’s real… Sometimes we have two good versions, and which one is less good than the other one. That happens periodically. But these both stink. And actually, I’m kind of surprised this one hasn’t come up before because it’s pretty obvious, a good “What’s Worse” scenario.
[Mike Johnson] Okay.
[David Spark] So, it comes from David Ratner of HYAS, who’s been a phenomenal sponsor and a past guest, David has been, on the CISO Series. So, here he goes. And by the way, Kelly, I make answer first, and you can agree or disagree with him, and you just have to give your reasoning.
All right? But Mike will answer first. Here we go. Super quick, super easy. What’s worse? Having your data encrypted or having your data sold on the dark web?
[Mike Johnson] So, I assume this is really a question of the ransomware operators that…
[David Spark] Right, but the ransomware operator could technically do both. But in this case, the first scenario it’s encrypted, and you don’t have access to the data. And the second scenario is you still have access to your data. There just happens to be another copy floating on the dark web.
[Mike Johnson] Yeah. And what I was really just making sure was this was somebody doing this to you. This wasn’t you making the decision to encrypt your own data.
[David Spark] Yes, exactly.
[Mike Johnson] I was like I want to encrypt my own data. That’s great. I love this idea.
[Kelly Haydu] That’s how I heard it as well. I said, “Oh, well, of course the right answer is going to be like you want your data encrypted.”
[David Spark] Yes. Yes. I did… Let me clarify, yes, somebody else has encrypted your data. You don’t have the key to it. Okay.
[Mike Johnson] So, Kelly, we’re not allowed to say, “It depends on this,” but it depends.
[David Spark] Oh my God, how did you just do that?
[Mike Johnson] I’m going to give my answer. I’m going to give my answer. I’m going to give my answer because this is very much an availability versus confidentiality conversation.
[David Spark] Correct.
[Mike Johnson] Right? If you look at the CIA triad, confidentiality, integrity, and availability. This is confidentiality versus availability and balancing those two.
[David Spark] Again, I just can’t… I don’t think we’ve done this one before. This seems pretty obvious.
[Mike Johnson] I’m surprised, but now that I’m talking through it, I think you could have actually done a, “What’s Worse,” with all three.
[David Spark] Of course we could have.
[Mike Johnson] Which is somebody tampers with your data, and you don’t know that they’ve done that.
[David Spark] Yes. That’s the integrity. Yes, so that could have been a third one. Feel free to throw that one in.
[Kelly Haydu] Please don’t.
[Mike Johnson] No. No, I’m going to keep it…
[David Spark] Keep it easier.
[Mike Johnson] So, for most companies, the availability is the biggest concern.
[David Spark] Yes.
[Mike Johnson] That you don’t have your data, that you can’t operate in your business, that you can’t make sales. If you don’t have your data, you don’t operate. The fact that your data has leaked is painful. As has been discussed, these both super suck.
So, having your data out there, you’re going to have to disclose. You’re going to have to make your customers happy. You might have some fines that you have to pay. It’s going to suck. But even worse is being out of business.
[David Spark] Now, let me ask you, do you think the second scenario could…? I mean it’s not common, but it could put you out of business. But the risk is much lower.
[Mike Johnson] It could. It could.
[David Spark] The first one is 100% guaranteed you’re not in business.
[Mike Johnson] Exactly. And that’s why I do think the someone else encrypts your data is the worse one because 100% you’re out of business. The other one, it’s 50%. Still sucks. You don’t want your business to rely on a coin flip. But certainly if you don’t have your data, you’re done.
[David Spark] All right. I guess you could say this is a risk management. So, do you agree or disagree here, Kelly?
[Kelly Haydu] I have a different perspective on it.
[David Spark] And this happens sometimes. You can agree and have a different perspective.
[Kelly Haydu] So, yeah, they do both suck. But if they have your data encrypted, it doesn’t mean that you don’t have a backup.
[David Spark] Well, that’s a, “It depends,” things. Because in this game, it’s encrypted. That’s just the way it is.
[Kelly Haydu] But all of it?
[David Spark] Well…
[Mike Johnson] I like the idea of negotiating with the person who’s holding your ransoms.
[Laughs]
[David Spark] What was it Bruce Schneier said? “Don’t fight the hypothetical.”
[Laughter]
[David Spark] [Inaudible 00:21:44]
[Kelly Haydu] I think… And, again, the what if scenario, but if they have your data, it could be public data. You could be a company that has just public data, so who cares if they have it. By the way, everybody has everybody’s data nowadays. Now with generative AI coming out, there is going to be even more data floating around out there.
[David Spark] So, this is an argument to no longer have privacy at all whatsoever, Kelly?
[Kelly Haydu] Well, I didn’t say that, but…
[Laughter]
[David Spark] I’m messing with you. Go ahead.
[Kelly Haydu] Because I’m a big privacy proponent.
[David Spark] Yes.
[Kelly Haydu] But I don’t know. I think it depends on the scenario.
[David Spark] You got to pick one. Again, you can’t say, “It depends.” You got to pick one. Are you going with it’s worse to have your data encrypted or worse to have its old on the dark web? Mike thinks the first one is worse.
[Kelly Haydu] Honestly, I think the second one.
[David Spark] Is worse?
[Kelly Haydu] Yeah. I mean, you might not even know that it’s out there. So, Mike talked about having to disclose it. Well, if it’s out there on the dark web and you don’t even know, you don’t know what’s going on with your data.
[David Spark] Good point.
[Mike Johnson] Yeah, totally good point.
[Kelly Haydu] I would rather deal with the known than the unknown.
[David Spark] And by the way, that’s what you always say, Mike. I think she’s arguing that you should be changing your mind here.
[Crosstalk 00:23:03]
[David Spark] Which, by the way, Kelly, this happened once on the show.
[Crosstalk 00:23:09]
[Mike Johnson] I made my point, and I’m sticking with it.
[David Spark] He’s sticking with it. All right. Kelly, good try though.
[Mike Johnson] But it’s a very good point of the known versus the unknown.
[David Spark] I’m glad you disagreed.
Would this person be a good fit for the job?
23:20.437
[David Spark] We often talk about the unique road every CISO takes to coming into their role, but can that kind of diversity of talent also benefit cyber security across the career spectrum? Sure, it’s common practice to bring people in from IT into cyber security, but what about other professions that could thrive if brought into the industry?
So, gamers present a wide pool of candidates with unique qualifications that lend themselves to pen testing, points out Jim Broome in a piece on Dark Reading. Or what about roadies and sound engineers who have to navigate complex systems in a stressful production environment like a concert?
As we’re coming to recognize that traditional degrees aren’t required for cyber security positions, what kind of framework do we need to surface a more diverse array of talent, Mike? So, I think this is interesting. Gamers, sound engineers. Because, yeah, both… Especially sound engineers.
Oh my God, problems are always happening at live events, and you have to triage them constantly.
[Mike Johnson] Yeah, the sound engineers is not one that I have heard before, and it was a really good perspective. The gamers I’ve heard. Like problem solving, quick reaction time, being able to make decisions with limited information. The gamer aspect…
[David Spark] But the difference with the gamers is gamers can pause the game and walk away.
[Mike Johnson] It depends on the game.
[David Spark] If it’s a live game, yeah.
[Mike Johnson] If it’s competitive first person shooter, you walk away…
[David Spark] You’re toast, yes, exactly.
[Mike Johnson] But what I find interesting in kind of thinking on this is it’s almost as if we’ve come full circle from the early days of cyber security. Back in the day, there was no cyber security degrees. When I got started, that just didn’t happen.
Those programs did not exist. So, by definition, everyone in cyber security generally was coming at it from some different perspective, from a different direction. And then we went to this period where there was this drive to get cyber security degrees.
And it was folks were expected to have a cyber security degree. I think we’re coming back to realizing that there is so many different backgrounds and perspectives that people can come from that can bring value to, frankly, our still weird field.
Cyber security is just this odd duck of a career where it’s this amalgamation of everything. All these different things, all these different problems, different perspectives just kind of lumped together. And so I’m glad to see that we’re coming back to being more open from other perspectives.
To your point about a framework, I think it’s similar to things that we’ve talked about in the past on the show, which is trying to find folks who have passion, interest, and a willingness to learn. And giving them those early career, first job kind of perspectives, and being able to bring in folks like that and give them the support structure to move from there.
So, I think it’s really more around our companies needing to have the structure to bring in folks from different backgrounds, and then we’ll find them.
[David Spark] All right, that’s an interesting perspective. Kelly, what’s your perspective of bringing people from not the traditional outlets or looking at certain careers that have good problem solving built in them, or hobbies, with gaming?
[Kelly Haydu] David, this question is near and dear to my heart.
[David Spark] Are you a gamer yourself?
[Kelly Haydu] I’m not. I’m going to take it a different direction. But I’m going to double down on Mike’s point around education. So, I graduated…my undergraduate degree was in human science and services, and my minor was in psychology. I was not given a chance, and I was questioned on that degree for a really long time.
It was super annoying. What people didn’t realize is from a cyber perspective, you have to be able to have a different mindset and think about how an attacker would be looking at your network and how different personalities will actually think about attacking your network.
So, at CarGurus, we’re really committed to DEIB, diversity, equity, inclusion, and belonging. And we really focus on that from a recruiting and retaining talent perspective. So, when I look at talent… And I think part of this was not a chip on my shoulder but my background of not being given that chance, I hyper focus on it.
So, I look for people that are collaborators, customer focused. I look for people that want to be mentored. They have the attitude and the aptitude. I don’t specifically look for things on resumes because then that would be unconscious bias.
One thing that I thought was really interesting is… And, Mike, I don’t know if you’ve heard about this or not, but Algorave, it’s live streaming of coding music, and it’s super, super interesting. The founder of Sonic Pi originally learned how to code in basic and then introduced this live streaming component at the same time.
I have a YouTube video if you’re interested in looking into it. But if you look at that, musicians have a way of translating the ones and the zeroes in coding. And a lot of people don’t understand that… “Oh, you have an art degree, or you’re a musician.
How are you going to be able to be a developer or work in security?” It’s a different part of the brain. I’m an artist, and people are very surprised when they look at some of my work and say, “Wow, I thought you were a science person. I thought you were an IT person.” And I’m like, “Yeah, but I use my other side of the brain because they kind of… Both of them correlate together.”
What do you think of this vendor marketing tactic?
29:42.873
[David Spark] CISO and vendor relationships are at the heart of this show. And over the years, we’ve tried to talk about how to make the most of that relationship. But what happens when a vendor goes over your head to the CEO? I’m sure this has happened to both of you.
That question came up on the cybersecurity subreddit, specifically about vendors sending security reports on critical issues that are false positives for your organization. Some suggested educating the CEO against putting credence into such messages or just taking a hammer to it and blocking vendors who do this.
All right, we’ll start with you, Kelly. How do you deal with a vendor that decides to pull rank like that?
[Kelly Haydu] Well, our leadership team is pretty good at CarGurus about sending the message back down the chain to us, because most likely if they’re getting the message, we’ve already gotten the message as well. They don’t really respond directly to the requests.
They recognize that they aren’t necessarily the experts, and most of the time they’re scare tactics to get somebody’s attention. We really focus on collaboration, communication, and education back to the leadership team. For vendors that don’t specifically send a report, like you had said, but rather an outreach message to our executive team or board members about their services, and one of our executive members comes to me and says, “Hey, I’d like for you to take this request and engage in a call,” I will always go back to that executive and say, “Is it on our roadmap this year?
Do we already have a solution in place for this? If so, is it worth it to investigate to rip and replace and add a different solution? If we don’t have it on the roadmap, why do they see it as a priority?”
And we can agree or disagree. If we agree, we can change the current roadmap by deprioritizing something else and explaining the risks, again back to the risks, on what it would impact in doing so. At the end of the day, there’s only so many hours that we can perform our jobs.
We can’t take all of the calls. Most of our executive team and board members know what our focus is on because, back to the original question, we have been educating them quarter over quarter on what we’re focused on working on. So, they’re not going to send vendors down to us that aren’t relevant to what we’re trying to accomplish now or in the near future anyways.
So, again, it goes back to education, what we’re working on, how we’re going about doing it, and then sending down the relevant requests for us to look at.
[David Spark] Excellent answer. All right. Mike, your experience with this. First of all, have you had experiences with this, with vendors going over your head?
[Mike Johnson] Certainly. It’s one of those things that I think is a cheap tactic that folks try. I don’t know why.
[David Spark] Let me… Just to dispel vendors, does this ever work, or does it just cause problems? Because my feeling is it just causes problems.
[Mike Johnson] I cannot recall a single time that I’ve made a purchase out of this. There have been times where I’ve had email exchanges with someone, but it’s been, “Hey, thanks, appreciate it. Don’t call us. We’ll call you.”
[David Spark] Yeah.
[Mike Johnson] So, as is evidenced by the Reddit comments, it’s a dangerous tactic. I think really it has very low likelihood of upside and most likely of downside.
[David Spark] Okay. So, I just want all vendors to be aware, not a god route. Now, how have you dealt with this?
[Mike Johnson] Basically, it’s been one of those situations of taking the contact from the CEO and saying, “Hey, I got it. If there’s anything here, I’ll let you know.” And that’s it. The CEO generally never hears of it again. If they do follow up later, it’s like, “Here’s what it was all about.”
[David Spark] My guess is they just forward this to you and go, “What do you think?” kind of stuff.
[Mike Johnson] Generally, yes. And my theory though is they’re not getting just cyber security related inquiries from outside vendors. We talk about this in our industry.
[David Spark] Oh, yeah. Then let’s get harassed by all kinds of vendors.
[Mike Johnson] I appreciate that Kelly is nodding because you’ve got the perspective from the IT side as well, that you guys are getting that. They’re also getting our recruiting services or our construction services. They’re used to this. And they’re not really having skin in the game when they’re passing it along.
They’re just wanting to make sure that there is not something there because they’re not an expert in the area. They don’t want that one in a million chance that there actually is something really bad. They can ‘t necessarily know one way or the other, so they want to do that due diligence.
But other than that, I think they’re just forwarding it along just in case.
[David Spark] So, they ignore it. It isn’t unique to cyber security. And educating your CEOs, too, if they’re already aware of this, not to worry about it. You’ve got it. That’s why they hired you.
Closing
35:06.021
[David Spark] Thank you, both. That brings us to the very end of the show. And I want to thank our sponsor, Panoptica, Cisco’s cloud application security solution, provides end to end lifecycle protection for cloud native application environments. So, get more information on their site, Panoptica’s website.
That’s panoptica.app. Kelly, I’m going to let you have the very last word. But first, Mike, any last thoughts on today’s episode?
[Mike Johnson] Kelly, thank you so much for joining us. I really loved your perspectives. I like your mention of your artist background as well and how you combine that with all of the other things that you need to think about and bringing that creativity to cyber security.
I also want to give you a whole lot of credit for calling out the fact that the board isn’t involved in budgetary conversations. There seems to be so many people out there who think that’s the case. So, thank you for stressing that to our audience. Thank you for joining us.
I loved the points. I loved the conversation. I’m sure a lot of people will get a lot of value out of it.
[David Spark] Excellent. Kelly, any last words? And I always ask our guests, “Are you hiring?” Are you hiring?
[Kelly Haydu] I am hiring. I have a few open roles right now.
[David Spark] Awesome. How’s the best way to contact you or find out about these jobs?
[Kelly Haydu] cargurus.com/careers. You can find not only jobs that I’m hiring for but other jobs that we’re hiring for right now. And we definitely are hiring.
[David Spark] That’s great to hear. All right. Any other last thoughts?
[Kelly Haydu] I want to thank you both for having me on today. First of all, Carraig, who recommended me to you, David, I deeply appreciate that recommendation.
[David Spark] Thank you, Carraig. Carraig Stanwyckarig.
[Kelly Haydu] And, Mike, it’s very rare that you have the opportunity to talk to somebody else in our position in the automotive industry. And I was very excited to hear that I was going to be talking to you, being from Rivian.
[Mike Johnson] Awesome.
[David Spark] He also used to work with Lyft, so he’s got a lot of automotive. And he is a tinkerer when it comes to vehicles as well.
[Mike Johnson] Real quickly, I’m a CarGurus fan, Kelly. My wife’s vehicle we actually bought through CarGurus.
[David Spark] Aw, look at that. Why didn’t you open with that? You buried the lead.
[Mike Johnson] All connected.
[David Spark] [Laughs]
[Kelly Haydu] Saving it until the end, Mike, huh?
[Laughter]
[Kelly Haydu] I’m also a tinkerer. I took my son’s Jeep apart and added a new radio, soldering the wires and everything. [Laughs]
[Mike Johnson] Awesome.
[Kelly Haydu] So, again, I really want to thank you both for having me on today. It was really a pleasure.
[David Spark] Awesome. Well, thank you very much, Kelly. We greatly appreciate it, and we greatly appreciate our audience. We greatly appreciate your listening and your contributions to CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week In Review.
This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com.
Thank you for listening to the CISO Series Podcast.